[feature request] Exclude certain programs with firecfg?

[rieje]

Currently, I have firecfg called as a pacman hook when updating my system--useful for automatically using firejail with new programs. However, I'm currently debugging LibreOffice (finding it very difficult to have a decent experience with Firefox and the clipboard) and would like to exclude that from firecfg.

What's a good workaround? chattr +i doesn't work on symlinks.

[glitsj16]

Until a native feature is integrated to do what you want, I'd place a small wrapper script in /usr/local/bin/firecfg and disable/enable any applications before running the real deal firecfg. Call it with 'skip' to keep state. Point your pacman hook to this script and debug LibreOffice until you're done. Something like the below should work [untested]:

#!/bin/sh
#
# disable/enable applications from firecfg

### vars
_bin="/usr/bin/firecfg"
_conf="/usr/lib/firejail/firecfg.config"

### logic
# triage
case "$1" in
    disable)
	for _app in libreoffice lobase localc lodraw loffice lofromtemplate \
	    loimpress lomath loweb lowriter soffice; do
		sed -i -e "s/${_app}/#${_app}/" "$_conf"
	done
	;;
    enable)
	for _app in libreoffice lobase localc lodraw loffice lofromtemplate \
	    loimpress lomath loweb lowriter soffice; do
		sed -i -e "s/#${_app}/${_app}/" "$_conf"
	done
	;;
    skip)
	true
	;;
esac

# ensure firecfg gets the options it understands
shift

# run the real deal
${_bin} "$@"

[rusty-snake]

what about

firecfg
cd /usr/local/bin
rm libreoffice localc ...

[rusty-snake]

Duplicate of #2097

[rusty-snake]

and #2829. Looks like a realy wanted feature.

[rusty-snake]

The long time goal here would be file based (see discussions in #2829 and #2097), but a fast fix can be something like --ignore=PROGRAM.

[pizzadude]

I have a script in /usr/local/bin/ called "unlinkfirejailapps" which does "unlink appname" in /usr/local/bin/ for the programs I don't want to use firejail with.